File tree 4 files changed +6
-5
lines changed
hieradata/environments/production/roles
modules/profile/templates
4 files changed +6
-5
lines changed Original file line number Diff line number Diff line change @@ -25,6 +25,7 @@ profile::miscweb::sites:
25
25
# script-src: load scripts from cdn.jsdelivr.net
26
26
# script-src: load script from gd.geobytes.com
27
27
# connect-src: connect to maps.googleapis.com
28
+ # connect-src: fetch fonts from fonts.googleapis.com
28
29
# img-src: data: for inline SVGs
29
30
# img-src: load images from code.jquery.com
30
31
# img-src: load images from maps.gstatic.com
@@ -34,7 +35,7 @@ profile::miscweb::sites:
34
35
# style-src: load styles from cdn.jsdelivr.net
35
36
# style-src: unsafe-inline for supports tests in
36
37
# jQuery 1.7.3 and jQuery Mobile 1.3.0
37
- csp_header : default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' gd.geobytes.com code.jquery.com maps.google.com cdn.jsdelivr.net; connect-src 'self' maps.googleapis.com; img-src 'self' code.jquery.com maps.gstatic.com maps.google.com data:; style-src 'self' 'unsafe-inline' code.jquery.com fonts.googleapis.com cdn.jsdelivr.net; font-src 'self' fonts.gstatic.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint
38
+ csp_header : default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' gd.geobytes.com code.jquery.com maps.google.com cdn.jsdelivr.net; connect-src 'self' maps.googleapis.com fonts.googleapis.com ; img-src 'self' code.jquery.com maps.gstatic.com maps.google.com data:; style-src 'self' 'unsafe-inline' code.jquery.com fonts.googleapis.com cdn.jsdelivr.net; font-src 'self' fonts.gstatic.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint
38
39
podcast.jquery.com :
39
40
repository :
40
41
name : jquery/podcast.jquery.com
Original file line number Diff line number Diff line change @@ -15,7 +15,7 @@ server {
15
15
16
16
# Add Content Security Policy headers
17
17
add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
18
- add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
18
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
19
19
20
20
location / {
21
21
root /srv/www/content.jquery.com;
Original file line number Diff line number Diff line change @@ -21,7 +21,7 @@ server {
21
21
add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
22
22
# script-src: add 'unsafe-eval' for the search functionality on gruntjs.com/plugins
23
23
# Search will need to be reimplemented to remove this exception.
24
- add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint" always;
24
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint" always;
25
25
}
26
26
27
27
location /.well-known/acme-challenge {
Original file line number Diff line number Diff line change @@ -21,13 +21,13 @@ server {
21
21
# Add Content Security Policy headers
22
22
add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
23
23
<%- if @site['csp_header'] -%>
24
- add_header Content-Security-Policy-Report-Only "<%= @site['csp_header'] %> ";
24
+ add_header Content-Security-Policy "<%= @site['csp_header'] %> ";
25
25
<%- else -%>
26
26
# script-src: add 'wasm-unsafe-eval' for WebAssembly-driven search on
27
27
# bugs.jquery.com, bugs.jqueryui.com, and plugins.jquery.com
28
28
# img-src: allow secure.gravatar.com images on plugins.jquery.com
29
29
# media-src: allow content.jquery.com media on podcast.jquery.com
30
- add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' code.jquery.com; connect-src 'self'; img-src 'self' secure.gravatar.com; style-src 'self'; media-src 'self' content.jquery.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
30
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' code.jquery.com; connect-src 'self'; img-src 'self' secure.gravatar.com; style-src 'self'; media-src 'self' content.jquery.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
31
31
<%- end -%>
32
32
33
33
<%- if @site['allow_php'] -%>
You can’t perform that action at this time.
0 commit comments